Skip to content

Commit

Permalink
1.41.1
Browse files Browse the repository at this point in the history
  • Loading branch information
richvdh committed Aug 31, 2021
1 parent 8c26f16 commit a4c8a2f
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 1 deletion.
32 changes: 32 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,35 @@
Synapse 1.41.1 (2021-08-31)
===========================

Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

Security advisory
-----------------

The following issues are fixed in v1.41.1.

- **[GHSA-3x4c-pq33-4w3q](https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q) / [CVE-2021-39164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39164): Enumerating a private room's list of members and their display names.**

If an unauthorized user both knows the Room ID of a private room *and* that room's history visibility is set to `shared`, then they may be able to enumerate the room's members, including their display names.

The unauthorized user must be on the same homeserver as a user who is a member of the target room.

Fixed by [52c7a51cf](https://github.com/matrix-org/synapse/commit/52c7a51cf).

- **[GHSA-jj53-8fmw-f2w2](https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2) / [CVE-2021-39163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39163): Disclosing a private room's name, avatar, topic, and number of members.**

If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.

The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (`enable_group_creation` in the Synapse configuration; off by default).

Fixed by [cb35df940a](https://github.com/matrix-org/synapse/commit/cb35df940a), [\#10723](https://github.com/matrix-org/synapse/issues/10723).

Bugfixes
--------

- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. ([\#10713](https://github.com/matrix-org/synapse/issues/10713))


Synapse 1.41.0 (2021-08-24)
===========================

Expand Down
6 changes: 6 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
matrix-synapse-py3 (1.41.1) stable; urgency=high

* New synapse release 1.41.1.

-- Synapse Packaging team <[email protected]> Tue, 31 Aug 2021 12:59:10 +0100

matrix-synapse-py3 (1.41.0) stable; urgency=medium

* New synapse release 1.41.0.
Expand Down
2 changes: 1 addition & 1 deletion synapse/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
except ImportError:
pass

__version__ = "1.41.0"
__version__ = "1.41.1"

if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
# We import here so that we don't have to install a bunch of deps when
Expand Down

0 comments on commit a4c8a2f

Please sign in to comment.